On Tue, May 13, 2014 at 1:06 PM, Ian Hickson <i...@hixie.ch> wrote: > On Tue, 13 May 2014, Eduardo' Vela\" <Nava> wrote: > > > > Thanks! > > > > Just to ensure this wasn't lost in the thread. > > > > What about X-Content-Type-Options: nosniff? > > > > Could we formalize it and remove the X and disable sniffing all > > together? > > Do you mean for manifests specifically, or more generally? > I agree it's wrong to do it as a one-off, so was hoping to make it more generally (since there seems to be a move on moving out of the CT model).
If that's not OK, then CSP is probably a reasonable way forward (I'll take a look at the Service Worker thread to ensure we have a similar mitigation in place). For manifests specifically, it seems like a very odd feature. "Manifests > don't have a MIME type normally, but if served with this header, then you > should also change how you determine if a manifest is a manifest"? > > If we just want a way to prevent pages that aren't supposed to be > manifests from being treated as manifests, I think it'd be better to have > a CSP directive that disables manifests. Then you would apply it to any > resource you know you don't want cached, don't want to be treated as being > able to declare a manifests, and don't want treated as a manifest. > > -- > Ian Hickson U+1047E )\._.,--....,'``. fL > http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. > Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.' >
